/etc/polkit-1/rules.d/50-custom.rules
polkit.addRule(function(action, subject) {
// 1. root 用户直接放行,不受后续规则限制
if (subject.user === "root") {
return polkit.Result.YES;
}
// 2. 禁用电源操作(关机/重启/挂起/休眠)
if (action.id.indexOf("power-off") !== -1 ||
action.id.indexOf("reboot") !== -1 ||
action.id.indexOf("suspend") !== -1 ||
action.id.indexOf("hibernate") !== -1 ||
action.id.indexOf("hybrid-sleep") !== -1) {
return polkit.Result.NO;
}
// 3. 活动本地用户 操作磁盘 udisks2 放行
if (action.id.match("org.freedesktop.udisks2")) {
if (subject.local && subject.active) {
return polkit.Result.YES;
} else {
return polkit.Result.AUTH_ADMIN;
}
}
// 4.1. 活动本地用户 wifi 扫描 放行
if (action.id === "org.freedesktop.NetworkManager.wifi.scan") {
if (subject.local && subject.active) {
return polkit.Result.YES; // 本地活动用户直接放行
}
}
// 4.2 活动本地用户 启用/禁用设备统计 放行
if (action.id === "org.freedesktop.NetworkManager.enable-disable-statistics") {
if (subject.local && subject.active) {
return polkit.Result.YES;
}
}
// 5.严格网络限制
var networkActions = [
// NetworkManager
"org.freedesktop.NetworkManager.checkpoint-rollback",
"org.freedesktop.NetworkManager.enable-disable-connectivity-check",
"org.freedesktop.NetworkManager.enable-disable-network",
"org.freedesktop.NetworkManager.enable-disable-statistics",
"org.freedesktop.NetworkManager.enable-disable-wifi",
"org.freedesktop.NetworkManager.enable-disable-wimax",
"org.freedesktop.NetworkManager.enable-disable-wwan",
"org.freedesktop.NetworkManager.network-control",
"org.freedesktop.NetworkManager.reload",
"org.freedesktop.NetworkManager.settings.modify.global-dns",
"org.freedesktop.NetworkManager.settings.modify.hostname",
"org.freedesktop.NetworkManager.settings.modify.own",
"org.freedesktop.NetworkManager.settings.modify.system",
"org.freedesktop.NetworkManager.sleep-wake",
"org.freedesktop.NetworkManager.wifi.scan",
"org.freedesktop.NetworkManager.wifi.share.open",
"org.freedesktop.NetworkManager.wifi.share.protected",
// systemd-networkd
"org.freedesktop.network1.forcerenew",
"org.freedesktop.network1.reconfigure",
"org.freedesktop.network1.reload",
"org.freedesktop.network1.renew",
"org.freedesktop.network1.revert-dns",
"org.freedesktop.network1.revert-ntp",
"org.freedesktop.network1.set-default-route",
"org.freedesktop.network1.set-dns-over-tls",
"org.freedesktop.network1.set-dns-servers",
"org.freedesktop.network1.set-dnssec",
"org.freedesktop.network1.set-dnssec-negative-trust-anchors",
"org.freedesktop.network1.set-domains",
"org.freedesktop.network1.set-llmnr",
"org.freedesktop.network1.set-mdns",
"org.freedesktop.network1.set-ntp-servers",
"org.freedesktop.network1.set-persistent-storage",
// systemd-resolved
"org.freedesktop.resolve1.dump-cache",
"org.freedesktop.resolve1.dump-server-state",
"org.freedesktop.resolve1.dump-statistics",
"org.freedesktop.resolve1.register-service",
"org.freedesktop.resolve1.reset-statistics",
"org.freedesktop.resolve1.revert",
"org.freedesktop.resolve1.set-default-route",
"org.freedesktop.resolve1.set-dns-over-tls",
"org.freedesktop.resolve1.set-dns-servers",
"org.freedesktop.resolve1.set-dnssec",
"org.freedesktop.resolve1.set-dnssec-negative-trust-anchors",
"org.freedesktop.resolve1.set-domains",
"org.freedesktop.resolve1.set-llmnr",
"org.freedesktop.resolve1.set-mdns",
"org.freedesktop.resolve1.subscribe-query-results",
"org.freedesktop.resolve1.unregister-service",
// ConnMan
"net.connman.modify",
"net.connman.secret",
"net.connman.vpn.modify",
"net.connman.vpn.secret",
// 飞行模式 / rfkill
"org.freedesktop.urfkill.block",
"org.freedesktop.urfkill.blockidx",
"org.freedesktop.urfkill.flight_mode",
// ModemManager
"org.freedesktop.ModemManager1.Contacts",
"org.freedesktop.ModemManager1.Control",
"org.freedesktop.ModemManager1.Device.Control",
"org.freedesktop.ModemManager1.Firmware",
"org.freedesktop.ModemManager1.Location",
"org.freedesktop.ModemManager1.Messaging",
"org.freedesktop.ModemManager1.Time",
"org.freedesktop.ModemManager1.USSD",
"org.freedesktop.ModemManager1.Voice",
// FirewallD
"org.fedoraproject.FirewallD1.all",
"org.fedoraproject.FirewallD1.config",
"org.fedoraproject.FirewallD1.config.info",
"org.fedoraproject.FirewallD1.direct",
"org.fedoraproject.FirewallD1.direct.info",
"org.fedoraproject.FirewallD1.info",
"org.fedoraproject.FirewallD1.policies",
"org.fedoraproject.FirewallD1.policies.info"
];
if (networkActions.indexOf(action.id) !== -1) {
return polkit.Result.AUTH_ADMIN; // 所有用户操作网络都需管理员密码
}
});
// ==================== 强制仅 root 视为管理员 ====================
polkit.addAdminRule(function(action, subject) {
return ["root"]; // 只有 root 用户能通过 AUTH_ADMIN 认证
});
/etc/systemd/system/remove-kvm-intel.service
[Unit]
Description=Remove kvm_intel kernel module at boot
After=local-fs.target sysinit.target
Before=multi-user.target
[Service]
Type=oneshot
ExecStart=/sbin/modprobe -r kvm_intel
RemainAfterExit=no
# 如果模块未加载,忽略错误
SuccessExitStatus=0 1
[Install]
WantedBy=multi-user.target
